Providing virtual machine services by isolated virtual machines

ABSTRACT

The present disclosure includes methods and systems for providing virtual machine services. A number of embodiments can include a user VM with a virtual workstation, a number of service modules that can provide a number of services without communicating with the user VM and/or the virtual workstation, a communication channel that allows the number of service modules to communicate with each other, a computing device, and a manager. A number of embodiments can also include a virtual machine monitor to enforce an isolation policy within the system.

GOVERNMENT RIGHTS

The subject matter of this disclosure was made with Government supportunder Agreement FA8750-10-D-0197 awarded by the Air Force. Accordingly,the U.S. Government has certain rights to subject matter disclosedherein.

BACKGROUND

A virtual machine (VM) that can be used by a user can have a number ofsecurity issues. For example, a VM can be exposed to malware among othersecurity threats. Malware can harm computational operations and can gainaccess to sensitive information that can be used to harm a user, forinstance. Malware can reproduce itself and can spread from one computersystem to a number of other computer systems. Computer systems canbecome infected by malware, which may be installed knowingly orunknowingly by a user.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a system for providing VM services in accordance witha number of embodiments of the present disclosure.

FIG. 2 illustrates a functional block diagram associated with providingVM services in accordance with a number of embodiments of the presentdisclosure.

FIG. 3 illustrates a functional block diagram associated with providingVM services in accordance with a number of embodiments of the presentdisclosure.

FIG. 4 illustrates a system for providing VM services in accordance witha number of embodiments of the present disclosure.

DETAILED DESCRIPTION

The present disclosure includes methods and systems for providingvirtual machine services. A number of embodiments can include providinga user virtual machine (VM) having access to a number of virtualresources. A number of embodiments can also include providing a numberof service VMs having a number of service modules that provide a numberof services to the user VM by accessing the number of virtual resources.A number of embodiments can also include isolating the user VM from thenumber of service VMs through a virtual machine monitor that preventscommunication between the user VM and the number of service VMs.

A number of embodiments can include instructions stored on a computerreadable medium which are executed by a processor to provide virtualmachine services as described herein. As one example, instructionsstored on a computer readable medium can be executed by a processor toprovide a communication channel within a computing device. Instructionsstored on a computer readable medium can be executed by a processor toprovide a number of service VMs having a number of service modules thatare part of the communication channel. Instructions stored on a computerreadable medium can be executed by a processor to deliver a number ofmessages through the communication channel between the number of servicemodules, wherein the number of messages are delivered in response todetecting abnormal behavior that is associated with a user VM.Instructions stored on a computer readable medium can be executed by aprocessor to perform a number of services by the number of servicemodules through an introspection library without communicating with theuser VM, wherein the number of services are performed for the user VMwhich is isolated from the communication channel, the number of servicemodules, and the number of service VMs.

A number of embodiments can provide benefits such as enhanced securityrelative to previous VM environments. Furthermore, a number ofembodiments can provide benefits such as an infrastructure that canallow a number of service VMs to provide a number of services. A numberof embodiments can also provide benefits such as allowing a number ofsets of third party computer readable instructions (CRI) from differentvendors to be used within the same infrastructure.

In the following detailed description of the present disclosure,reference is made to the accompanying drawings that form a part hereof,and in which are shown by way of illustration how a number ofembodiments of the disclosure may be practiced. These embodiments aredescribed in sufficient detail to enable those of ordinary skill in theart to practice the embodiments of this disclosure, and it is to beunderstood that other embodiments may be utilized and that process,electrical, and/or structural changes may be made without departing fromthe scope of the present disclosure.

The figures herein follow a numbering convention in which the firstdigit or digits correspond to the drawing figure number and theremaining digits identify an element or component in the drawing.Similar elements or components between different figures may beidentified by the use of similar digits. For example, 210 may referenceelement “10” in FIG. 2, and a similar element may be referenced as 310in FIG. 3. As will be appreciated, elements shown in the variousembodiments herein can be added, exchanged, and/or eliminated so as toprovide a number of additional embodiments of the present disclosure. Inaddition, the proportion and the relative scale of the elements providedin the figures are intended to illustrate the embodiments of the presentinvention, and should not be taken in a limiting sense. Also, as usedherein “a number of” something can refer to one or more of such things.

Various embodiments of the present disclosure can be performed byexecution of CRI (e.g., in the form of software and/or firmware),hardware, application modules, and the like, executable and/or residenton the tools, systems, and devices shown herein or otherwise. As usedherein, a virtual machine monitor (e.g., hypervisor) refers to CRI(e.g., software) that provide virtualization support for a number ofvirtual machines (VMs). A VM can operate as a standalone computingdevice (e.g., with an operating system, applications, etc.) except thatit runs in a virtualized environment provided by the virtual machinemonitor. A virtual machine monitor itself may require a privileged VM toemulate hardware and firmware calls for the unprivileged VMs. Theprivileged VM can provide interfaces to virtual hardware devices thatthe virtual machine monitor can export to unprivileged VMs. Theprivileged VM can translate operations on these virtual hardware devicesto operations on shared physical hardware devices. This privileged VMcan have a “privileged” view of the internal operation of theunprivileged VMs. A VM can operate as a standalone computer, (e.g., withan operating system, applications, etc.) except that it runs in thevirtualized environment provided by the virtual machine monitor.

A VM can have virtual system hardware and guest CRI. The virtual systemhardware can include at least one virtual central processing unit (CPU),virtual memory, and a number of virtual storage devices. The guest VMcan include a guest Operating System (OS) and a number of drivers asneeded for the various virtual storage devices. As used herein, the termguest can make reference to components that are part of a VM. Forexample, a host platform (e.g., computing device) can include an OS thatcan be referred to as a host OS and a VM can include an OS that can bereferred to as a guest OS.

A VM can operate on a computing device under its own context, which canbe provided by a virtual machine monitor. A context of a VM can includethe state of virtual address space, as well as a set of registers, forexample. A context of a VM can also include the state of a number ofvirtual storage devices.

A number of VMs can operate on a computing device while being isolatedfrom each other. The number of VMs can share resources from a computingdevice even though a number of VMs can remain isolated from each other.For example, executable files can be accessed by a guest OS from avirtual disk and/or virtual memory which can be mapped to portions ofthe physical disk (e.g., host disk) or physical memory (e.g., hostmemory) respectively. The allocation of physical disk space and/orphysical memory can be determined by a virtual machine monitor.

FIG. 1 illustrates a system 100 for providing VM services in accordancewith a number of embodiments of the present disclosure. In the exampleshown in FIG. 1, the system 100 includes a computing device 102 incommunication with a manager 118 via a communication channel 116.

The computing device 102 can support a number of users to accomplishvarious tasks through a number of applications, for example. Thecomputing device 102 can support a number of users directly, indirectly,and/or remotely. The computing device 102 can be a computer system,which can include a number of hardware resources 104 and/or devicesattached thereto. Hardware resources 104 and/or devices can includephysical memory, a display, disk drives, USB devices or USB peripherals,and/or network interface cards, among others.

In a number of embodiments, a virtual machine monitor 106 can provide anumber of VMs with shared access to the hardware resources 104. Thevirtual machine monitor 106 can be a native (e.g., bare metal) virtualmachine monitor and/or a hosted virtual machine monitor. A nativevirtual machine monitor can include, for example, a virtual machinemonitor that runs directly on the hardware resources 104. A hostedvirtual machine monitor can include, for example, a virtual machinemonitor that runs within an OS environment. A native virtual machinemonitor can have a smaller attack surface than a hosted virtual machinemonitor. A virtual machine monitor can use hardware virtualizationsupport that can assist in separating a number of VMs that run withinthe environment created by the virtual machine monitor. In a number ofembodiments of the present disclosure, a native virtual machine monitorand/or a hosted virtual machine monitor can be used to support a numberof VMs.

In a number of embodiments, the virtual machine monitor 106 can supportdifferent VM types. For example, as shown in FIG. 1, the virtual machinemonitor 106 can support a user VM 110 and a number of service VMs 108-1,108-2 (e.g., referred to generally as 108). The user VM 110 can be aguest VM that can contain a virtual workstation 114. Although one userVM 110 and one virtual workstation 114 are shown in FIG. 1, a number ofuser VMs can be supported by computing device 102 and a number ofvirtual workstations can be contained by user VM 110. The user VM 110and/or the virtual workstation 114 can include services and/or functionsthat support a number of users. As used herein, a user can include ahuman user and/or an automated user. The user VM 110 and/or the virtualworkstation 114 can provide user services and/or functions through aguest OS and/or software programs.

The communication channel 116 can include a messaging infrastructure andmessage schema. For example, the communication channel 116 can include avirtual network. The communication channel 116 can, for example,facilitate delivery of messages between a number of service moduleswhich can be referred to as codepacks 112-1, 112-2, 112-3, . . . , 112-Nand/or between the number of codepacks 112-1, 112-2, 112-3, . . . ,112-N and the manager 118. The various codepacks 112-1, 112-2, 112-3, .. . , 112-N may be collectively referred to as 112.

The communication channel 116 can be configured to restrictcommunication between the codepacks 112 and a number of externalnetworks. The restrictions can prevent communication between a number ofcodepacks 112 and the user VM 110 and/or a virtual workstation 114. In anumber of embodiments of the present disclosure, the restrictions canprevent the user VM 110 and virtual workstation 114 from being aware ofthe existence of the number of codepacks 112 by preventing the user VM110 and the virtual workstation 114 from communicating with (e.g.,“seeing”) the number of codepacks 112. In a number of embodiments of thepresent disclosure, communications between the number of codepacks 112can be invisible to the virtual workstation 114 and user VM 110. Thecommunication channel 116 can be configured with the above restrictionsthrough virtual machine monitor 106, for example.

The manager 118 can include a privileged VM that manages the operationsof the number of codepacks 112 and the service VMs 108. The manager 118can dynamically install and/or remove the number of codepacks 112,establish and maintain configurations associated with the number ofcodepacks 112, and manage communications between the number of codepacks112 (e.g., via communication channel 116) to support collaborative andorchestrated operations (e.g., between and/or among the codepacks 112).The manager 118 can also provide a user interface to a systemadministrator such that the system administrator can manage the numberof codepacks 112. The manager 118 can support a number of codepacks 112that can be located in a single computing device 102 and/or a number ofadditional computing devices (not shown). In a number of embodiments,codepacks 112 can provide a number of services to a number of virtualworkstations and a number of user VMs running on a number of computingdevices.

In a number of embodiments of the present disclosure, the number ofcodepacks 112 can communicate with each other through communicationchannel 116 by sending messages to coordinate their activities and/oradjust their policies. The number of messages can pass through a messagebroker 115 that can restrict communication patterns. For example, acommunication pattern can include a number of messages that can be sentfrom one of the number of codepacks 112 to another codepack (e.g.,orchestration codepack). In such embodiments, the orchestration VM canbe a service VM (e.g., 108-1) that orchestrates the services provided toa user VM (e.g., 110). The message broker 115 that restricts access tothe communication channel 116 based on an identification assigned toeach of the number of service modules by an authentication mechanism.The message broker 115 can keep a log of a number of messages that passthrough the message broker 115 and can provide the log to a systemadministrator (e.g., by making the log available to the manager 118through communication channel 116). A message broker 115 can be hostedin a number of locations that enables it to be connected to thecommunication channel 116.

As used herein, a message can include a request and/or a response, amongother communications. For example, a first message can include a requestthat a first codepack 112-1 can provide to a second codepack 112-2 and asecond message can include a response that the second codepack 112-2 canprovide to the first codepack 112-1. In a number of embodiments, amessage can be an alert. For example, a message can be an alert that afirst codepack 112-1 can send to a number of other codepacks 112. Thealert can include, for instance, a notification that a change hasoccurred and/or that a security threat has been detected, among othertypes of alerts. A number of messages can be sent in response to thedetection of abnormal behavior that is associated with a user VM 110and/or virtual workstation 114. Abnormal behavior can include behaviorby the user VM 110 and/or virtual workstation 114 that indicates that asecurity threat exists in the user VM 110 and/or virtual workstation114.

Access to a message broker 115 can be based on an authenticationmechanism. An authentication mechanism can be used to uniquely identifyeach of the codepacks and an associated security policy. For example, anauthentication mechanism can include a number of certificates that canbe assigned to the number of codepacks 112. A policy that is associatedwith the number of certificates can determine which messages a givencodepack 112 is allowed to send and/or receive. Each computing device(e.g., 102) can have a message broker 115, and a number of messagebrokers in different computing devices can communicate through acommunication channel (e.g., 116). The message broker 115 can distributea number of messages through a message queue that can be persistent suchthat the messages can survive a number of failures.

The number of service VMs 108 can be guest VMs that can be containersfor the number of codepacks 112 that can provide CRI for providingservices to the user VM 110 and/or virtual workstation 114. A service VM108 can provide a guest OS on which a number of codepacks 112 canexecute. In a number of embodiments of the present disclosure, a numberof service VMs 108 can be invisible to the user VM 110.

The codepacks 112 can include CRI (e.g., code) executed to provide anumber of services, directly or indirectly, to user VM 110 and/orvirtual workstation 114. In a number of embodiments of the presentdisclosure, the number of services provided by codepack 112 can includesecurity related services. For example, the number of services caninclude a virus scan service and/or firewall service, among others. Thenumber of services can also include services supporting robustoperations of the user VM 110 and/or the virtual workstation 114. Thecodepacks 112 can have a number of different permissions and/orprivileges depending on the services provided, for instance. Forexample, a virtual machine monitor 106 can grant a first codepack 112-1a number of privileges that can allow the first codepack 112-1 access toa virtual storage device associated with virtual workstation 114 and/oruser VM 110.

A service VM 108 can be a private service VM and/or a shared service VM.For example, a private service VM can include a codepack (e.g., 112-1)that is assigned to a service VM (e.g., 108-1). A shared service VM caninclude a codepack (e.g., 112-2) that shares the service VM (e.g.,108-2) with a number of codepacks (e.g., 112-3, . . . , 112-N).

In a number of embodiments of the present disclosure, the CRI that canbe included in the number of codepacks 112 can include sets of thirdparty CRI from various different sources (e.g., vendors). For example, afirst codepack (e.g., 112-1) can include a first set of CRI, from afirst source, that provide a number of services to user VM 110 and/orvirtual workstation 114 while a second codepack (e.g., 112-2) caninclude a second set of CRI, from a second source, that provide a numberof services to the user VM 110 and/or virtual workstation 114. That is,CRI from a number of different sources can be used to provide a numberof services through the number of codepacks 112 regardless of an OS thatcan be executing on virtual workstation 114. Furthermore, CRI from anumber of different sources can be used even if the CRI have not beenconfigured to communicate with virtual workstation 114 and/or user VM110.

A number of the codepacks 112 can provide an infrastructure for a numberof sets of third party CRIs to perform a number of services for user VM110 and/or virtual workstation 114. The infrastructure can include acommunication channel 116 that includes a number of service VMs 108 anda number of codepacks 112, but does not include a user VM 110. That is,communication channel 116 allows direct communication between manager118, and service VMs 108, but does not allow direct communicationbetween manager 118 and user VM 110 and/or between service VMs 108 anduser VM 110. The infrastructure 116 can also be used to provide thenumber of services. For example, a third party set of CRI designed toperform a number of services from within user VM 110 and/or virtualworkstation 114 can perform the services through communication channel116 and through an introspection library (e.g., 117) from outside theuser VM 110 and/or a virtual workstation 114 without having to modifythe third party CRI's design. An introspection library will be describedfurther herein below.

The codepacks 112 can include CRI that can be executed to perform anintended (e.g., designated) particular function (e.g., scan for malware,filter traffic, etc.). In a number of embodiments, the codepacks 112 canbe executed to perform the particular functions independently and/orthrough an introspection library 117. The codepacks 112 can also includeitems such as a requirements declaration, a certificate, a managementpolicy, a security policy, and/or a baseline configuration, among otheritems. A requirements declaration can, for example, describe theresources required by the codepack to perform a number of particularservices. A description of the resources required by the codepack caninclude an optimal description and a minimal description, among others.An optimal description can, for example, describe the resources that acodepack requires to perform the number of particular services at anoptimal level. A minimal description can, for example, describe theresources that a codepack needs to perform a minimum number of servicesand/or to perform the number of particular services at a minimal level.Resources required by a codepack can include a service VM type (e.g.,private or shared), OS preferences, and/or memory requirements, amongothers.

A certificate associated with a codepack can include a cryptographicallysigned certificate. A certificate can include information that can beused at a policy enforcement point (e.g., message broker 115 or manager118) to determine what access to grant. Access can include a number ofprivileges associated with accessing the hardware 104 of computingdevice 102, among other types of privileges.

A management policy associated with a codepack can be used by a manager118 to regulate the operation of the number of codepacks 112. Forexample, a management policy can include a policy associated withstarting and/or stopping a codepack (e.g., policy that describes theconditions under which a codepack can be started and/or stopped). Amanagement policy can define how codepacks 112 perform a number ofservices depending on the status of the codepacks 112 and/or the statusof the user VM 110 and/or the status of the virtual workstation 114. Amanagement policy can be altered and/or changed. For example, a manager118 can alter and/or change a management policy associated with acodepack 112-1.

A security policy, associated with a codepack can specify the accessthat a codepack can have to files associated with a codepack, networkingmessages associated with a user VM 110, memory assigned to a user VM110, a message broker 115, and/or virtual storage devices, among others.A security policy can be modified (e.g., by a manager 118) to grant acodepack greater access and/or to restrict the access assigned to thecodepack. A baseline configuration can include the settings required tostart a codepack in a default mode. Additional configurations can beadded to a codepack as needed.

The CRI, requirement declaration, certificate, management policy,security policy, and/or baseline configuration associated with acodepack can be referred to generally as a configuration associated witha codepack. The configuration associated with a codepack can be managedby the codepack and a manager 118. The configurations can changedynamically based on the state of the codepacks 112, a virtualworkstation 114, a user VM 110, and/or the computing device 102. Forexample, the configurations can indicate an access level that a codepack112-1 can have to known external devices attached to computing device102. For example, when an unknown device is attached to computing device102, a codepack 112-1 can request additional configurations thatdetermine the access level that the codepack 112-1 can have to theunknown device. A particular device can be known or unknown based onwhether a codepack has configurations that grant or deny access suchthat the device is unknown if a codepack does not have configurationsregarding the particular device. Dynamically, as referred to inassociation with configurations, can indicate that the configurationscan be changed at a number of particular times to reflect a currentstate of the number of codepacks 112, a virtual workstation 114, a userVM 110, and/or the computing device 102.

A determination can be made that a particular codepack 112 does not haveadequate configurations and that the codepack needs to receiveadditional and/or different configurations. A determination can be madeby the particular codepack 112 itself and/or by a manager 118. Forexample, a codepack 112 can determine that it needs additionalconfigurations and the codepack 112 can request the additionalconfigurations (e.g., from the manager 118). The manager 118 can sendthe additional configurations to the codepack 112. The additionalconfigurations can be installed by the codepack 112 and/or the manager118.

As indicated above, a codepack can provide a number of services throughan introspection library (e.g., 117). An introspection library may beincluded in each codepack. For instance in this example, codepack 112-1includes introspection library 117-1, codepack 112-2 includesintrospection library 117-2, codepack 112-3 includes introspectionlibrary 117-3, . . . , and codepack 112-N includes introspection library117-N. In a number of embodiments of the present disclosure, anintrospection library can be located at the VM level. For example, afirst introspection library can be included in a first VM, regardless ofthe number of codepacks in the VM, and a second introspection librarycan be included in a second VM.

In a number of embodiments, the introspection library VM can be hostedin a distinct introspection VM. For example, the codepacks 112 canaccess an introspection library through the introspection VM, instead ofincluding it directly.

An introspection library 117 can include CRI executed to provide accessto virtual resources that are assigned to and/or associated with a userVM 110. In a number of examples, virtual resources can include memorypages that are assigned to and/or associated with the user VM 110, thenetwork traffic associated with the user VM 110, and/or a number ofvirtual storage devices assigned to and/or associated with a user VM110, among other virtual resources.

Providing access can include low-level access. Low-level access caninclude providing access to low-level context-free VM state, such asdata stored in virtual CPU registers, memory pages, and/or virtual diskimages. Providing access can further include high-level access.High-level access can include applying OS semantics to the data obtainedvia low-level access to provide access to high-level, OS-specific VMstate, such as processes, files and/or network connections. Thelow-level access can allow the introspection library to obtain knowledgeof the OS semantics required for the specific OS running on a user VM110 and/or virtual workstation 114. Knowledge of the OS semantics can beobtained by gathering information from the virtual CPU registers, memorypages, and/or virtual disk images. The gathered information can allowthe introspection library to determine a specific OS without requiringthat a user provide that information. Having knowledge of the OS canallow an introspection library to provide a high-level interface tovirtual resources that are associated with the OS.

A high-level interface can include passive and active introspection.Passive introspection can grant read access but not write access. Forexample, passive introspection can determine a number of processes thatare running on an OS by providing read-only access to virtual resources.Active introspection can grant read/write access to virtual resourcesassociated with the OS kernel. For example, active introspection canterminate a process (e.g., kill process) by modifying the OS kernelinternals in a way that causes the OS to terminate a targeted process.

An introspection library 117 can provide access to non-resident memoryassociated with a user VM 110 and/or virtual workstation 114.Non-resident memory can include memory that has been swapped out todisk. Memory can be swapped out to disk when, for example, room isneeded in a number of memory pages and/or when data was never read infrom the disk (e.g., demand paging), among other reasons for swappingout memory to disk. An introspection library 117 can make non-residentmemory available to a codepack.

In a number of embodiments of the present disclosure, the introspectionlibrary 117 can provide access to the virtual resources withoutcommunicating with the user VM 110 and/or a virtual workstation 114.Furthermore, the introspection library 117 can provide access to thevirtual resources associated with the user VM 110 and/or virtualworkstation 114 without communicating with the user VM 110 and/orvirtual workstation 114. The codepacks 112 can provide services to theuser VM 110 and/or virtual workstation 114 through the read/write accessprovided by the introspection library 117. For example, a codepack 112-1can provide a virus scan service to the virtual workstation 114 byaccessing a number of memory pages assigned to the virtual workstation114 through access granted by an introspection library.

The introspection library can provide access to physical memory pages.As used herein, physical memory pages refer to memory pages that arelocal to a computing device 102. Physical memory pages can includememory pages that have a physical address. The introspection library canalso provide access to memory pages through a virtual address and/or anOS kernel symbol, for instance. The physical memory pages can includememory pages that are assigned and/or associated with the user VM 110and/or virtual workstation 114. For example, physical memory pages cancontain code that can be scanned by a codepack 112-1 that provides virusscan services. By accessing the physical memory pages through theintrospection library, and not through the user VM 110 and/or virtualworkstation 114, a codepack 112-1 can ensure that the physical memorypages that the codepack 112-1 accesses have not been tampered with bymalware. As used herein, contamination can refer to the presence ofmalware and/or other CRI that can harm a user VM 110, a virtualworkstation 114, service VMs 108, and/or codepacks 112, for instance. Inthis context, “harm” can refer to interference with normal and/orexpected execution. Harm to a user can also come in the form ofmisappropriation of sensitive/personal data. For example, a user can beharmed when sensitive data (e.g., bank account information) isdistributed to a third party for whom the data was not intended.

An introspection library 117 can provide a number of interfaces that canbe used to verify the runtime integrity of the virtual workstation 114,and/or user VM 110. The number of interfaces can allow the number ofcodepacks 112 to detect unexpected or modified CRI in the virtualworkstation 114 and/or user VM 110. The introspection library 117 canprovide a list of a number of processes running on the virtualworkstation 114, for example, and/or resources associated therewith. Theintrospection library 117 can produce a list of the drivers loaded in akernel that are associated with the virtual workstation 114 and/or userVM 110. The introspection library 117 can scan or monitor regions ofmemory, including memory associated with a specific process, driver,and/or an OS kernel. The introspection library 117 can produce a list ofall open network connections and identify which process initiated eachconnection.

The introspection library 117 can provide a number of interfaces thatcan be used to perform file system integrity checks and virus scanning.The introspection library 117 can grant access to raw disk sectors thatcomprise the virtual disk image used by the user VM 110 and/or virtualworkstation 114. The introspection library 117 can grant access to thefilesystem on the virtual disk image used by the user VM 110 and/orvirtual workstation 114. The introspection library 117 can grant accessto OS configuration data stored in a filesystem. OS configuration datacan be, for instance, a Microsoft Windows OS registry. The introspectionlibrary 117 can perform the above mentioned functions by applying OSsemantics to VM states obtained from physical memory pages and/or anumber of virtual storage devices, for instance.

The introspection library 117 can provide a number of interfaces forindirectly managing an OS and applications in the virtual workstation114 and/or user VM 110. An introspection library can kill (e.g.terminate) a number of processes running on a virtual workstation 114.For example, a codepack 112-1 can access the physical memory pagesand/or virtual storage devices associated with a virtual workstation 114through an introspection library. The access can be granted on a readand write basis, for example. The codepack 112-1 and/or theintrospection library can read the physical memory pages and/or thevirtual storage devices to locate a process with a specific processidentifier (PID) and can terminate the process through a write access bydirectly modifying VM memory. In a number of embodiments of the presentdisclosure, the introspection library 117 can provide more or fewerfunctions to a codepack 112.

The introspection library 117 can allow a codepack 112 to access dataassociated with a user VM 110 and/or a virtual workstation 114 withoutrequiring that an agent (e.g., a virtual workstation agent) be locatedwithin the user VM 110 and/or the virtual workstation 114. An agent caninclude CRI that can be executed to allow a codepack 112 to communicatewith a user VM 110 and/or a virtual workstation 114. An agentlessapproach to providing a number of services can allow a codepack 112 toprovide a number of services to the user VM 110 and/or virtualworkstation 114 without interacting with the untrusted OS orapplications running in the virtual workstation 114 and/or user VM 110.

The introspection library 117 can allow a codepack 112 to access dataassociated with a user VM 110 and/or a virtual workstation 114regardless of a specific software configuration associated with the userVM 110 and/or the virtual workstation 114. For example, a codepack 112can provide a number of services to a virtual workstation 114 regardlessof a specific OS associated with the virtual workstation 114 withoutrequiring that the codepack 112 be modified to communicate with thespecific OS. This infrastructure can allow third party codepacks toprovide services without requiring that the third party codepacks beconfigured to communicate with a specific OS. As used herein, thirdparty codepacks can include codepacks that are created by a third partyto function with a number of different OSs.

An introspection library 117 can include generic introspection logic andspecific introspection logic. Specific introspection logic can includelogic that is specific to an OS. Logic can be specific to an OS when itis designed to work with a specific OS. Generic introspection logic caninclude logic that is designed to work with a number of OSs. Anintrospection library 117 can include a collection of OS modules thatdescribes the details of a specific OS. Details of a specific OS caninclude structure definitions and/or layout of structures in memory thatare associated with a specific OS.

An introspection library 117 can determine what introspection logic touse depending on an OS that is associated with a user VM 110 and/orvirtual workstation 114. For example, an introspection library 117 candetermine based on an OS fingerprint which version of an OS is runningin the user VM 110. The introspection library 117 can augment genericintrospection logic at runtime with specific introspection logic basedon the particular version of the OS running in the user VM 110. An OSfingerprint can include OS version information stored in memory and/orvirtual disk images associated with the user VM 110 and obtainable viaintrospection.

An introspection library 117 can grant a number of codepacks 112different accesses to virtual resources associated with a user VM 110and/or a virtual workstation 114. For example, a first codepack 112-1can be granted access to a number of memory pages while a secondcodepack 112-2 can be granted access to network traffic.

Additionally, each user VM can have an associated introspection libraryand/or introspection VM. For example, a first user VM can have anassociated first introspection library and a second user VM can have asecond introspection library. The first introspection library can grantaccess to the virtual resources associated with the first user VM andthe second introspection library can grant access to the virtualresources associated with the second user VM. Assigning each user VM adifferent introspection library can limit the access that codepacks 112have to each user VM. For example, a first group of codepacks can begranted access to the first user VM and not the second user VM while asecond group of codepacks can be granted access to the second user VMand not the first user VM.

In a number of embodiments of the present disclosure, each of a numberof codepacks 112 can provide a number of services. For example, a numberof codepacks 112 can provide authentication services, firewall services,proxy (e.g., hypertext transfer protocol (HTTP) proxy) services,integrity monitoring services, orchestration services, intrusiondetection services, process monitoring services, user reportingservices, user VM watchdog services, and/or virus scan services, amongothers.

For instance, the number of codepacks 112 can include an authenticationmodule (e.g., authentication codepack) that can provide authenticationservices. An authentication codepack, for example, can monitor a numberof smartcard readers and notify other codepacks via the communicationchannel 116 when a card has been authenticated and/or removed. Asmartcard can be a form of identification that identifies a user that isassociated with a virtual workstation 114. A number of codepacks 112 canmodify their configurations based on the status of a user identity asauthenticated by an authentication codepack. A smartcard reader canremain under the control of the authentication codepack and may remaininvisible to a user VM 110 and/or a virtual workstation 114 which canlimit the exposure that a smartcard reader can have to malware.

The number of codepacks 112 can include a firewall module (e.g.,firewall codepack) that can provide firewall services. A firewallcodepack can be interposed between a computing device 102 and a networkinterface. A firewall codepack can regulate network traffic through theuse of filters such as iptables and/or ebtables. The regulation ofnetwork traffic can occur based on a policy that can be changed tocorrespond to an authenticated user and/or a threat level. The firewallcodepack can alert a number of codepacks 112 when the firewall codepackdetects a policy violation and/or a potential policy violation.

The number of codepacks 112 can include a proxy codepack that canprovide proxy services. A proxy codepack can filter a number of servicerequests associated with a user VM 110 and/or a virtual workstation 114based on a service policy. A proxy codepack can rewrite transactionsthat are classified as dangerous and/or malformed during the filtering.A proxy codepack can also send a number of alerts to a number ofcodepacks 112 based on the filtering and rewriting.

The number of codepacks 112 can include an integrity monitor module(e.g., integrity monitor codepack) that can perform integrity checks offiles and disk sectors in a number of virtual storage devices that canbe associated with a user VM 110 and/or a virtual workstation 114. Anintegrity monitor codepack can also report discrepancies discoveredduring the integrity checks. An integrity monitor codepack can monitorthe integrity of Windows system files, executable object files, registrykeys and boot records, for instance.

The number of codepacks 112 can include a malware police module (e.g.,malware police codepack) that can orchestrate the activities of thecodepacks 112. For instance, a malware police codepack can orchestratethe activities of the codepacks 112 in cases in which the codepacks 112are providing a number of services in an orchestrated manner.

The number of codepacks 112 can include a network intrusion detectionsystem (NIDS) module (e.g., NIDS codepack) that can examine outboundnetwork traffic from the user VM 110 and/or the virtual workstation 114.The NIDS codepack can examine outbound network traffic to detect networkattacks and/or their precursors (e.g., suspicious behavior). Forexample, outbound network traffic can be examined to detect scanningbehavior that can be associated with a worm. The NIDS codepack can alertthe other codepacks 112 when a network attack is detected and/or whensuspicious behavior is detected.

The number of codepacks 112 can include a process monitor module (e.g.,process monitor codepack) that can gather information about runningprocesses associated with a user VM 110 and/or a virtual workstation114. The information gathered can include information about a specificprocess and/or information about a number of running processes that canbe associated with a specific activity. For example, an activity caninclude network activity, such as use of a specific resource, such thata process monitor codepack can gather information about all processesthat are using the resource.

A number of codepacks 112 can include a user reporting module (e.g.,user reporting codepack) that can relay a number of messages directly toa user. For example, a user reporting codepack can relay a number ofmessages directly to a human user without communicating with the virtualworkstation 114 and/or user VM 110. The message can be relayed to theuser through an instant messaging service, a window on the main display,a private audio device used to generate synthesized speech from themessage, and/or an integrated display on a smartcard reader, amongothers. Communicating a message to a human user through a window on themain display can include writing directly to the graphics hardware forthe main display and/or introducing a process into the user VM 110 thatcan create a display without communicating with the virtual workstation114 and/or user VM 110, among other methods for communicating a messageto a human user.

The number of codepacks 112 can include a user VM watchdog module (e.g.,user VM watchdog codepack) that can start a user VM 110 during a systemboot. A user VM watchdog codepack can also restart a user VM 110 and cannotify a manager 118 when the user VM 110 restarts, shuts down, and/orcrashes. A user VM watchdog codepack can attach and/or detach a numberof peripheral devices. The attachment and/or detachment of a number ofperipheral devices can be contingent on an authentication of a user. Forexample, a number of peripheral devices can be attached when a user issuccessfully authenticated and can be detached when no user isauthenticated. A user VM watchdog can notify a manager 118 of the statusof a number of peripheral devices.

The number of codepacks 112 can include a virus scan module (e.g., virusscan codepack) that can inspect selected files and/or devices for knownvirus signatures. A virus scan codepack can inspect files and/or devicesthat are peripherally attached to a computing device 102 and associatedwith a user VM 110 and/or a virtual workstation 114. For example, avirus scan codepack can inspect files located on a USB storage devicebefore making it available to a user VM 110. A report of an inspectioncan be sent to other codepacks and/or to a manager 118.

The number of codepacks 112 can operate in an independent manner toprovide a number of services to a user VM 110 and/or a virtualworkstation 114. The codepacks 112 can operate in an orchestrated mannerand/or in a collaborative manner.

In a number of embodiments of the present disclosure, the number ofcodepacks 112 can perform a collaborative operation to provide a numberof services. A collaborative operation can include the number ofcodepacks 112 working in collaboration while independently providing anumber of services and informing the other codepacks 112 of the numberof services independently provided. For example, a first codepack 112-1can send an alert to a number of other codepacks 112. The number ofother codepacks 112 can determine how the alert is to be interpreted(e.g., based on its configurations) and/or an action that should betaken in response to the alert. A second codepack 112-2 may ignore thealert while a third codepack 112-3 may determine that a specific actionis required in response to the alert.

An orchestrated operation of a number of codepacks can include anorchestration codepack (e.g., a malware police codepack) that canreceive a number of messages (e.g., alerts) and that can orchestrate aresponse to the number of messages. The orchestration codepack canorchestrate a response to the number of messages by communicating thenumber of messages to the number of codepacks 112. For example, anorchestration codepack can receive an alert that a virus has beendetected in a virtual workstation 114 and the orchestration codepack candetermine an appropriate response to the alert. The orchestrationcodepack can initiate an appropriate response by sending a number ofmessages to the number of codepacks 112 wherein the number of messagesare associated with the alert. The appropriate response can then becarried out by the number of codepacks 112. As such, the services thatare provided to the user VM 110 and/or virtual workstation 114 can beorchestrated by one or more of the number of codepacks 112.

FIG. 2 illustrates a functional block diagram associated with providingVM services in accordance with a number of embodiments of the presentdisclosure. The embodiment of FIG. 2 illustrates detection of malware ona virtual workstation 214. FIG. 2 includes a user VM 210 which can beanalogous to user VM 110 in FIG. 1, and a virtual workstation 214 whichcan be analogous to virtual workstation 114 in FIG. 1. In the embodimentof FIG. 2, the virtual workstation 214 includes a worm 256. Worm 256 canspread by scanning through a number of network addresses and by sendinga copy of the worm 256 to one or more of a number of service VMs (e.g.,service VMs 108 shown in FIG. 1) and/or computing devices (e.g.,computing device 102 shown in FIG. 1).

In the embodiment illustrated in FIG. 2, the worm 256 can send a numberof requests (e.g., as shown at 232) through a physical network 252connected to user VM 210 (e.g., as indicated by arrow 252). A NIDScodepack 212-1 residing on a NIDS VM 208-1 can intercept the networktraffic (e.g., as indicated by arrow 254). The NIDS codepack 212-1 canintercept the network traffic without being connected to and/orcommunicating with the user VM 210 and/or the virtual workstation 214.The NIDS codepack 212-1 can intercept network traffic through specialprivileges that can be granted by a virtual machine monitor (e.g.,virtual machine monitor 106 shown in FIG. 1). As shown at 234, the NIDScodepack 212-1 can inspect the network traffic. At 236, the NIDScodepack 212-1 can examine the network traffic and can determine whethera security threat may be associated with the network traffic (e.g., bydetermining whether the traffic exhibits scanning behavior). Forinstance, the NIDS 212-1 can identify that network traffic is abnormal.

In a number of embodiments of the present disclosure, a NIDS codepack212-1, which is working in collaboration with a process monitor codepack212-3, can send an alert directly to the process monitor codepack 212-3(e.g., in response to the examined network traffic). The process monitorcodepack 212-3 can decide whether to take an action in response to thealert.

In FIG. 2, a number of services offered by the NIDS codepack 212-1 andthe process monitor codepack 212-3 can be orchestrated by a particularservice VM (e.g., a malware police codepack 212-2 in a malware police VM208-2 in this example). At 238, the NIDS codepack 212-1 can send analert to the malware police codepack 212-2. In this example, the alertcan indicate the detection of possible scanning behavior (e.g., based onthe examination of the network traffic by the NIDS VM). At 240, themalware police codepack 212-2 receives the NIDS codepack alert. Themalware police codepack 212-2 can analyze the alert and, based on apolicy internal to the malware police codepack 212-2, classify thebehavior that the alert is reporting. For example, the behavior can beclassified as suspicious and/or as an attack, among otherclassifications. For example, if the network traffic is destined forport 80, then the malware police codepack 212-2 can classify thebehavior as suspicious because port 80 can also be used for legitimatenetwork traffic.

The malware police codepack 212-2 can take action to determine, inresponse to receiving the alert, if the behavior is legitimate networktraffic or scanning behavior of a worm, for example. Legitimate networktraffic can include traffic through a network that does not affect theoperation of the virtual workstation 214, the user VM 210, and/or otherVMs. In determining whether there is legitimate network traffic on port80, for example, the malware police codepack 212-2 can issue a processprobe request 242 via a communication channel 216 to determine if a webbrowser is running in the user VM 210 and/or the virtual workstation214.

At 244, the process probe request 242 can be received by the processmonitor codepack 212-3 that can be contained in a process monitor VM208-3. At 246, the process monitor codepack 212-3 can observe a numberof processes running in the user VM 210 and/or the virtual workstation214 (e.g., to determine if a web browser is running). The observationscan be done through an introspection library (e.g., introspectionlibrary 117 described in connection with FIG. 1). For example, theprocess monitor codepack 212-3 can request a number of running processesfrom the introspection library. The introspection library can determine,via high-level introspection access, which processes are running. Theintrospection library can provide a list of the running processes alongwith associated data to the process monitor codepack 212-3. The processmonitor codepack 212-3 can determine, for example, whether the runningprocesses are a legitimate source of the detected scanning behavior. Inthis embodiment, at 248, the process monitor codepack 212-3 sends areply to the malware police codepack 212-2 indicating that there is nolegitimate source of the scanning behavior (e.g., a negative reply).

At 250, the malware police codepack 212-2 receives the reply. Themalware police codepack 212-2 can interpret the reply as confirmationthat the network behavior is malicious scanning behavior (e.g., inresponse to the negative reply from codepack 212-3). The malware policecodepack 212-2 can orchestrate a number of actions through a number ofcodepacks in response to the confirmation of malicious scanningbehavior. For example, the malware police codepack 212-2 can change athreat level associated with a user VM 210 and/or the virtualworkstation 214. The malware police codepack 212-2 can also quarantinethe user VM 210 and/or the virtual workstation 214 from the rest of thenetwork.

FIG. 3 illustrates a functional block diagram associated with providingVM services in accordance with a number of embodiments of the presentdisclosure. The embodiment of FIG. 3 illustrates a reaction to malwareon a user VM. FIG. 3 includes a user VM 310, which can be analogous to auser VM 210 in FIG. 2, and a virtual workstation 314, which can beanalogous to a virtual workstation 214 in FIG. 2, with a worm 356, whichcan be analogous to a worm 256 in FIG. 2.

A malware police codepack 312-2 (e.g., analogous to a malware policecodepack 212-2 in FIG. 2) in a malware police VM 308-2 (e.g., analogousto a malware police VM 202-2 in FIG. 2) can react to a worm 356. In thisembodiment, the malware police codepack 312-2 reacts by orchestrating anumber of services that a number of codepacks perform to secure avirtual workstation 314 and/or a user VM 310. For example, at 358,malware police codepack 312-2 issues a virus scan request for a user VMfile system to an antivirus codepack 312-1 in an antivirus VM 308-1 andan integrity monitor codepack 312-4 in an integrity monitor VM 308-4.The virus scan request can be delivered through a communication channel316 (e.g., analogous to communication channel 216 in FIG. 2).

At 360 and 362, an antivirus codepack 312-1 and an integrity monitorcodepack 312-4, respectively, receive the requests from the malwarepolice codepack 312-2. At 364, the antivirus codepack 312-1 searches formalware in the user VM file system through an introspection library(e.g., introspection library 117 in FIG. 1). At 366, the monitorcodepack 312-4 examines running processes against a previouslyestablished signature for each process. At 368 and 370, scanning reportsare sent to the malware police codepack 312-2 with the results of theantivirus codepack 312-1 search and the integrity monitor codepack 312-4examination. The reports can include malware files found by theantivirus codepack 312-1 and/or discrepancies between processes foundand previously established process signatures, for example.

At 372, the malware police 312-2 receives the reports. At 374, themalware police 312-2 issues a process probe request, in response to thereports, to the process monitor codepack 312-3 that can be in a processmonitor VM 308-3 to determine if the malware files and/or the processeswith discrepancies are running in the user VM 310 and/or the virtualworkstation 314. At 376, the process monitor codepack 312-3 (e.g.,analogous to a process monitor codepack 212-3) receives the processprobe request. At 378, the process monitor codepack 312-3 examines theuser VM 310 and/or virtual workstation 314 for running processes throughan introspection library. If the process monitor codepack 312-3determines that a malware process and/or a process with discrepancies isrunning on the user VM 310 and/or the virtual workstation 314, then theprocess monitor codepack 312-3 can reply, at 380, with a positiveprocess probe response to the malware police 312-2, with the positivereply indicating that malware was found running on the user VM 310and/or the virtual workstation 314.

At 382, the malware police codepack 312-2 receives the positive processprobe response. At 384, the malware police issues a kill process commandto terminate the offending process. The introspection library can beused to terminate the offending process.

Embodiments of the present disclosure are not limited to the examplesdescribed in FIGS. 2 and 3. For instance, embodiments are not limited toinstances of malware, etc. The figures are illustrative and can beadapted to provide various embodiments of orchestration, collaboration,and/or independent approaches, among other embodiments.

FIG. 4 illustrates a system 490 for providing VM services in accordancewith a number of embodiments of the present disclosure. The embodimentof FIG. 4 illustrates a source of the third party CRI. FIG. 4 includes amanager 418, which can be analogous to a manager 118 in FIG. 1, a numberof computing devices 402-1, . . . , 402-N (e.g., referred to generallyas 402), which can be analogous to a computing device 102 in FIG. 1, anetwork 494, and a database 492.

In the embodiment of FIG. 4, the database 492, manager 418, and/orcomputing devices 402 can be connected through a network 494 which canbe a communication channel. For example, a manager 418 can update anumber of codepacks (e.g., codepacks 112) in the computing devices 402with sets of third party CRIs from a database 492 which serves as asource of sets of third party CRIs. The sets of third party CRIs can beanalogous to the sets of third party CRIs as described above inconnection with FIG. 1. The update can occur through the network 494,for example.

CONCLUSION

The present disclosure includes methods and systems for providingvirtual machine services. A number of embodiments can include a user VMwith a virtual workstation, a number of service modules that can providea number of services without communicating with the user VM and/or thevirtual workstation, a communication channel that allows the number ofservice modules to communicate with each other, a computing device, anda manager. A number of embodiments can also include a virtual machinemonitor to enforce an isolation policy within the system.

It will be understood that when an element is referred to as being “on,”“connected to” or “coupled with” another element, it can be directly on,connected, or coupled with the other element or intervening elements maybe present. In contrast, when an element is referred to as being“directly on,” “directly connected to” or “directly coupled with”another element, there are no intervening elements or layers present. Asused herein, the term “and/or” includes any and all combinations of anumber of associated listed items.

It will be understood that, although the terms first, second, etc. maybe used herein to describe various elements and that these elementsshould not be limited by these terms. These terms are only used todistinguish one element from another element. Thus, a first elementcould be termed a second element without departing from the teachings ofthe present disclosure.

Although specific embodiments have been illustrated and describedherein, those of ordinary skill in the art will appreciate that anarrangement calculated to achieve the same results can be substitutedfor the specific embodiments shown. This disclosure is intended to coveradaptations or variations of a number of embodiments of the presentdisclosure. It is to be understood that the above description has beenmade in an illustrative fashion, and not a restrictive one.

Combination of the above embodiments, and other embodiments notspecifically described herein will be apparent to those of skill in theart upon reviewing the above description. The scope of the number ofembodiments of the present disclosure includes other applications inwhich the above structures and methods are used. Therefore, the scope ofthe number of embodiments of the present disclosure should be determinedwith reference to the appended claims, along with the full range ofequivalents to which such claims are entitled.

In the foregoing Detailed Description, some features are groupedtogether in a single embodiment for the purpose of streamlining thedisclosure. This method of disclosure is not to be interpreted asreflecting an intention that the disclosed embodiments of the presentdisclosure have to use more features than are expressly recited in eachclaim.

Rather, as the following claims reflect, inventive subject matter liesin less than all features of a single disclosed embodiment. Thus, thefollowing claims are hereby incorporated into the Detailed Description,with each claim standing on its own as a separate embodiment.

What is claimed is:
 1. A computer implemented method for providingvirtual machine services, the method comprising: providing a uservirtual machine (VM) having access to a number of virtual resources;providing a number of service VMs having a number of service modulesthat provide a number of services to the user VM by accessing thevirtual resources, wherein each of the number of service modulesincludes: a requirements declaration that describes resources requiredby a corresponding service module; a cryptographically signedcertificate that allows the corresponding service module to access thenumber of virtual resources which includes a number of memory pages,network traffic, and a number of virtual storage devices associated withthe user VM; a management policy that is used to regulate each of thenumber of service modules; a security policy that specifies an accessthat the corresponding service module can have to the number of memorypages, the network traffic, and the number of virtual storage devices; abaseline configuration that establishes settings required to start thecorresponding service module in a default mode; and isolating the userVM from the number of service VMs through a virtual machine monitor thatprevents communication between the user VM and the number of serviceVMs.
 2. The method of claim 1, including accessing the number of virtualresources through an introspection library, wherein the introspectionlibrary provides direct access to the virtual resources withoutcommunicating with an agent that is in the user VM and withoutcommunicating with the user VM.
 3. The method of claim 2, includingproviding the number of services to the user VM via a read and writeaccess to the number of virtual resources that are provided to thenumber of service VMs by the introspection library.
 4. The method ofclaim 2, wherein accessing the number of virtual resources withoutcommunicating with the user VM includes accessing a number of memorypages, network traffic, and a number of virtual storage devicesassociated with the user VM.
 5. The method of claim 1, wherein isolatingthe user VM from the number of service VMs through the virtual machinemonitor includes creating a barrier that prevents malware from crossingfrom the user VM into the number of service VMs.
 6. A system forproviding virtual machine services, comprising: a first computing deviceincluding processor and memory resources and a virtual machine monitorconfigured to enforce an isolation policy between a number of virtualmachines (VM); a user VM that allows a user to access a number ofvirtual resources; a number of service modules within a number ofservice VMs, wherein each of the number of service modules includes:instructions executed to provide security related services; anauthentication mechanism that is used to uniquely identify each of theservice modules and an associated security policy; a management policythat regulates the operation of the corresponding service module; thesecurity policy that specifies an access that the corresponding servicemodule has to the virtual resources; a communication channel that allowsthe number of service modules to communicate with each other, whereinthe number of service modules and the number of service VMs are isolatedfrom the user VM through the communication channel and through theisolation policy enforced by the virtual machine monitor; and amanagement module within a management VM that allows a manager tocommunicate with the number of service modules and the number of serviceVMs, wherein the management VM is isolated from the user VM and whereinthe manager modifies and updates the management policy and the securitypolicy in each of the number of service VMs.
 7. The system of claim 6,further comprising a second computing device including the managementmodule and the management VM.
 8. The system of claim 7, wherein themanagement module manages the number of service modules in a number ofcomputing devices including the first computing device, with each of thenumber of computing devices having a number of user VMs that areisolated from the management module and the number of service modules.9. The system of claim 6, further comprising a message broker thatrestricts access to the communication channel based on an identificationassigned to each of the number of service modules by an authenticationmechanism.
 10. The system of claim 9, wherein the communication channelconnects the message broker with the management VM and wherein themanagement VM records a log of traffic that passes through the messagebroker.
 11. A system for providing virtual machine services, comprising:a first computing device including processor and memory resources and avirtual machine monitor configured to enforce an isolation policybetween a number of virtual machines (VM); a user VM that allows a userto access a number of virtual resources; a number of service moduleswithin a number of service VMs, wherein each of the number of servicemodules includes: instructions executed to provide security relatedservices; an authentication mechanism that is used to uniquely identifyeach of the service modules and an associated security policy; amanagement policy that regulates the operation of the correspondingservice module; the security policy that specifies an access that thecorresponding service module has to the virtual resources; acommunication channel that allows the number of service modules tocommunicate with each other, wherein the number of service modules andthe number of service VMs are isolated from the user VM through thecommunication channel and through the isolation policy enforced by thevirtual machine monitor; a management module within a management VM thatallows a manager to communicate with the number of service modules andthe number of service VMs, wherein the management VM is isolated fromthe user VM; and a message broker that restricts access to thecommunication channel based on an identification assigned to each of thenumber of service modules by an authentication mechanism.
 12. The systemof claim 11, further comprising a second computing device including themanagement module and the management VM.
 13. The system of claim 12,wherein the management module manages the number of service modules in anumber of computing devices including the first computing device, witheach of the number of computing devices having a number of user VMs thatare isolated from the management module and the number of servicemodules.
 14. The system of claim 11, wherein the manager modifies andupdates the management policy and the security policy in each of thenumber of service VMs.
 15. The system of claim 11, wherein thecommunication channel connects the message broker with the management VMand wherein the management VM records a log of traffic that passesthrough the message broker.